As no administrators have yet replied, here's one answer offered out from https://isc.sans.edu/diary/When+Disabling+IE6+%28or+Java%2C+or+whatever%29+is+no t+an+Option.../14947 ... which lines up rather nicely with what I've divined from my analysis of access logs for Java hits.
This isn't an exact answer to your question, but things that we've considered or implemented for the purpose of avoiding Java pwnage include:
- file type (either as determined by MWG or by what the server sends back as Content-Type)
- file name
- monitoring notifications
- whitelisting specific destinations
- coaching pages for java and uncategorized sites